What is a Botnet?

A botnet is a collection of computers, connected to the internet, that interact to accomplish some distributed task. Although such a collection of computers can be used for useful and constructive applications, the term botnet typically refers to such a system designed and used for illegal purposes. Such systems are composed of compromised machines that are assimilated without their owner's knowlege.

The compromised machines are referred to as drones or zombies, the malicious software running on them as 'bot'.

Botnet Formation and Propagation

For a botnet to form and grow, it must accumulate drones, and each drone must be individually exploited, infected, and assimilated into the botnet. The more drones a botnet owner (herder) has at their disposal, the more impact the botnet can have on the internet at large. Thus, gathering these drones is a key task for any herder.

For this reason, most bot software contains spreaders that automate the task of scanning ip addresses for vulnerable software holes. Once found, the open machines are attacked and infected with the bot software, and the pattern continues. With each newly compromised drone, the botnet gains more power to infect more. The only difference between a bot and a conventional worm is the existence of a unifying control system.

Command and Control Mechanisms

A collection of computers is useless without some control mechanism. The Command and Control, or C&C, constitutes the interface between the botnet and the herder. The herder commands the C&C, and the C&C commands the bots.

Traditionally, botnets have been controlled using Internet Relay Chat (IRC). This framework has been favored for its simplicity, flexibility, and ease of administration. IRC is a ubiquitous communications standard on the internet, and is thus easy to modify for any purpose. Bot software is designed to connect the infected host to an IRC server and accept commands from a control channel. Herders have the option to utilize existing chat services and networks, or easily implement their own control servers by simply compromising a host and installing an IRC daemon.

Although herders do not directly communicate with the bots, they must communicate with the C&C server to issue commands. Although this offers a substantial level of protection if the C&C server is privately owned and operated, herders may utilize TOR as an additional safegaurd should the C&C be seized and investigated.

IRC has the disadvantage that chatroom traffic is transmitted in cleartext, which means that spying on botnet traffic is relatively easy should one utilize a packet sniffer such as Ethereal. Recently however, we have seen the emergence of new encryption techniques that mask the herders commands.

Also a significant number of botnets makes use of HTTP to implement the C&C. Being a stateles protocol it does not allow the herders to send commands to the drones in realtime but the bot has to check for new commands periodically. The advantage of HTTP is that it is usually not blocked on firewalls and sniffing the communication will not reveal any information about other drones on the network.

Botnet Uses

The very nature of botnets gives criminals plenty of power on the internet at large. With control over so many compromised systems, herders can now engage in quite more damaging activities than the internet has seen before.

Click Fraud

Botnets can be used to engage in Click Fraud, where the bot software is used to visit web pages and automatically "click" on advertisement banners. Herders have been using this mechanism to steal large sums of money from online advertising firms that pay a small reward for each page visit. With a botnet of thousands of drones, each clicking only a few times, the returns can be quite large. Since the clicks are each coming from seperate machines scattered accross the globe, it looks like legitimate traffic to the untrained investigator.

DDoS

Botnets can be utilized to wage war on others machines on the internet by completely saturating its bandwidth or other resources. Such DDOS (Distributed Denial of Service) attacks can prevent access to a particular website for incredibly long periods of time. This places a tremendous burden on the financial operations of many corporations that are unable to reach out to their customers. Extortion attacks have also occured where criminals will demand payment from online vendors to end the onslaught and allow traffic to once again flow.

DDOS attacks are possible because a botnet gives a malicious criminal unimaginable network resources. With the capability of establishing many connections from many individual network sources, mitigating such attacks becomes difficult.

Keylogging

Keylogging is perhaps the most threatening botnet feature to an individual's privacy. Many bots listen for keyboard activity and report the keystrokes upstream to the bot herder. Some bots have builtin triggers to look for web visits to particular websites where passwords or bank account information is entered. This gives the herder unprecendented ability to gain access to personal information and accounts belonging to thousands of people.

Beyond keylogging, many bots grant the herder complete access to the drones filesystem, enabling the herder to transfer any files they wish, read any documents the user may have stored on the computer, or upload more malicious files or warez.

Warez

Botnets can be used to steal, store, or propogate warez. Warez constitutes any illegally obtained and/or pirated software. Bots can search hard drives for software and licenses installed on a victims machine, and the herder can easily transfer it off for duplication and distribution. Furthermore, drones are used to archive copies of warez found from other sources. As a whole, a botnet has a great deal of storage capacity.

Spam

Botnets often are used as a mechanism of propogating spam. Compromised drones can forward spam emails or phish scams to many 3rd party victims. Furthermore, instant messaging accounts can be utilized to forward malicious links or advertisements to every contact in the victim's address book. By spreading spam-related materials through a botnet, a herder can mitigate the threat of being caught as it is thousands of individual computers that are taking on the brunt of the dirty work.

Botnet Mitigation

Botnets would not be as dangerous of a force online today if it weren't for the dramatic numbers of compromised systems. In all of the attacks listed above, many would not be a reality if botnet drone populations were not as large as they are today. With drone counts as high as 60-80 thousand, the access that herders have to the private lives of citizens and the power that herders have over the largest network giants is staggering.

Therefore, the best way to mitigate botnets is to keep them from forming in the first place. Botnets would not be such a threat today if malware could not propagate and infect such vast numbers of systems. It is up to each individual to ensure that their systems and software are patched and upgraded, otherwise they can easily fall victim to infection and exploitation.

From Detection to Takedown

Finding Botnets

Botnets can be stumbled upon in a variety of different ways. Detection can manifest itself in the form of malware-hunting based intelligence or from the perspective of network/machine diagnosis of a problem.

Active botnet-hunting techniques

The following constitute an active program for searching for the botnets. Many techniques involve finding the bot malware itself and studying the infection in sandboxes.

Honeypots such as Nepenthes: Collect malware from other attacking computers on the internet.

Instant messenger spam: Capture links sent to IM users that point to malicious files.

Once malware is located, analysis is performed on the collected samples to determine the access mechanism to the botnet. Once we have the location and protocols of the command and control server, we can proceed to monitoring.

See this document for a more extensive rundown of detection strategies.

Stumbling upon botnets

If you have a problem, your solution may indeed involve the discovery of a bot on your end, and subsequent investigation could indeed stumble upon a full-blown net. Finding an infestation on a single home or business computer is sometimes all it takes, however it requires a more deep investigation of the problem at hand to find a botnet. Simply finding and removing a viral infection on a pc does nothing for intelligence.

IT managers of large organizations may have an upper hand at detection of botnets if a massive proportion of their internal net is infected. These situations can manifest if the machine count is high and, due to homogenous administration, all machines are vulnerable to the same exploits at any given time. When a bot invades, the entire network can be infected in very short order. This was demonstrated quite clearly when a botnet infested the network of a hospital in Seattle and disabled the network, and hospital operations, in very short order. The criminal responsible is now in custody.

If many, many machines are connecting to some obscure ip at the same time, it's either a ridiculously popular internet phenomenon, or it is a command and control server for something nefarious. DNS queries as well, from many of your machines to a single obscure domain name, may tip you off to something strange.

Even more striking could be a complete suspension of network functionality as the botcount exponentially increases, and as the scanning rate skyrockets.

Even if not such a traffic burden is detected, if one knows the ip addresses of command and control servers, one can find a bot infestation by looking for dns queries or the traffic itself to the particular host, however high volume connections from many compromised machines are a more telling sign if one is going on nothing but a hunch.

A Snoop is Established

The Shadowserver analyst who is tracking the botnet establishes a client session directly with the command and control server. This is done to mimic an actual compromised system who has joined the botnet. If all goes well, the attacker sees the snoop as just another malicious drone on the network. However, our custom software only logs the botnet's traffic without performing any malicious capabilities that an actual bot would have.

The Takedown

After sufficient incriminating evidence is collected, Shadowserver collaborates with relevant law enforcement agencies and service providers to get the net shut down and the criminal parties apprehended.

In some cases, the Command & Control information for the botnet is published on the Shadowserver website and distributed to public mailing lists.